b"Pen\n  nsion Benefit\n        B       Guaran\n                     nty Corrporatio\n                                   on\n    Office\n         e of Ins\n                specto\n                     or Gen\n                          neral\n          Evalua\n               ation Re\n                      eport\n\n\n\n\n   Fiscal Year\n          Y    200\n                 09 Federral Inform\n                                  mation\n    Security Manaagementt Act (FISMA)\n          pendentt Evaluation Rep\n      Indep                       port\n\n\n\n\n             Marc\n                ch 22, 20\n                        010\n                                 EVAL-2010--7 / FA-09-64-7\n\x0c\x0c          Fiscal Year 2009 FISMA Independent Evaluation Report\n\n                                   EVAL-2010-7 / FA-09-64-7\n\n\n\n\n                                                Contents\n\n                                                                                                              Page\n\nIndependent Auditor\xe2\x80\x99s FISMA Evaluation Report .............................................                        1\n\n\n\nSection\n\n      I. Executive Summary ....\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                                                2\n\n      II. Background ..\xe2\x80\xa6...................................................................................        2\n\n     III. Objectives ...........................................................................................   3\n\n     IV. Scope and Methodology ..\xe2\x80\xa6...............................................................                  3\n\n     V. Summary of Current Year Testing ..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.....................................                                4\n\n     VI. Findings and Recommendations ..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.............................                                       5\n.\n    VII. Previously Reported FISMA-Related Findings ................................... 10\n\n    VIII. FISMA Recommendations Closed in Fiscal Year 2009 \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 16\n\n     IX. Prior and Current Years\xe2\x80\x99 Open FISMA Recommendations ..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6... 16\n\n     X. Management Response ..................................................................... 17\n\x0ca1\nMs. Rebecca Anne Batts\nInspector General\nPension Benefit Guaranty Corporation\n1200 K Street, N.W.\nWashington DC 20005-4026\n\nDear Ms. Batts:\n\nWe are pleased to provide the Fiscal Year (FY) 2009 Federal Information Security Management\nAct (FISMA) Independent Evaluation Report, detailing the results of our review of the Pension\nBenefit Guaranty Corporation (PBGC) information security program.\n\nFISMA requires Inspectors General (IG) to conduct annual evaluations of their agency\xe2\x80\x99s\nsecurity programs and practices, and to report to Office of Management and Budget (OMB)\nthe results of their evaluations. OMB Memorandum M-09-29, \xe2\x80\x9cFY 2009 Reporting Instructions\nfor the Federal Information Security Management Act and Agency Privacy Management\xe2\x80\x9d\nprovides instructions for completing the FISMA evaluation. Evaluations conducted by Offices\nof Inspector General (OIG) are intended to independently assess whether the agencies are\napplying a risk-based approach to their information security programs and the information\nsystems that support the conduct of agency missions and business functions.\n\nClifton Gunderson LLP completed the required responses on behalf of the PBGC OIG. The OIG\nthen reviewed, approved, and submitted the responses to OMB on November 18, 2009. This\nevaluation report provides additional information on the results of our review of the PBGC\ninformation security program.\n\nIn preparing required responses on behalf of the OIG, we coordinated with PBGC management\nand appreciate their cooperation in this effort. In its response to a draft of this report, PBGC\nmanagement was in general agreement with the recommendations contained in the report and\nprovided specific responses to each recommendation. Management\xe2\x80\x99s response is included in its\nentirety in Section X of this report.\n\n\na1\nCalverton, Maryland\nNovember 18, 2009\n\n\n\n\n11710 Beltsville Drive\nSuite 300\nCalverton, Maryland 20705\ntel: 301-931-2050\nfax: 301-931-1710\nwww.cliftoncpa.com\n                                   Offices in 17 states and Washington, DC\n                                                                                h\n\x0cI.    EXECUTIVE SUMMARY\n\nTitle III of the E-Government Act (Public Law No. 104-347), also called the Federal Information\nSecurity Management Act (FISMA), requires agencies to adopt a risk-based, life cycle approach\nto improving computer security that includes annual security program reviews, independent\nevaluations by the Inspector General (IG), and reporting to the Office of Management and\nBudget (OMB) and the Congress. It also codifies existing policies and security responsibilities\noutlined in the Computer Security Act of 1987 and the Clinger Cohen Act of 1996.\n\nWe are reporting six (6) FISMA findings with twelve (12) recommendations for FY 2009 based\non the results of our Fiscal Year (FY) 2009 independent evaluation. In addition, fifteen (15)\nFISMA-related findings with thirty-six (36) recommendations were reported in the Corporation\xe2\x80\x99s\nFY 2009 internal control report based on our FY 2009 financial statements audit work. Overall,\nwe determined that the Pension Benefit Corporation (PBGC) has not established an effective\ninformation security program and has not been proactive in reviewing security controls and\nidentifying areas to strengthen this program.\n\n\nII.   BACKGROUND\n\nThe Pension Benefit Guaranty Corporation (PBGC) protects the pensions of nearly 44 million\nworkers and retirees in more than 29,000 private defined benefit pension plans. Under Title IV\nof the Employee Retirement Income Security Act of 1974 (ERISA), PBGC insures, subject to\nstatutory limits, pension benefits of participants in covered private defined benefit pension plans\nin the United States. To accomplish its mission and prepare its financial statements, PBGC\nrelies extensively on information technology (IT). Internal controls over these operations are\nessential to ensure the confidentiality, integrity, and availability of critical data while reducing the\nrisk of errors, fraud, and other illegal acts.\n\nPBGC has become increasingly dependent on computerized information systems to execute its\noperations and to process, maintain, and report essential information. As a result, the reliability\nof computerized data and of the systems that process, maintain, and report this data is a major\npriority for PBGC. While the increase in computer interconnectivity has changed the way the\ngovernment does business, it has also increased the risk of loss and misuse of information by\nunauthorized or malicious users. Protecting information systems continues to be one of the most\nimportant challenges facing government organizations today.\n\nThrough FISMA, the U.S. Congress showed its intention to enhance the management and\npromotion of electronic government services and processes. Its goals are to achieve more\nefficient government performance, increase access to government information, and increase\ncitizen participation in government. FISMA also provides a comprehensive framework for\nensuring the effectiveness of security controls over information resources that support federal\noperations and assets. It also codifies existing policies and security responsibilities outlined in\nthe Computer Security Act of 1987 and the Clinger Cohen Act of 1996.\n\nPBGC operates an open and distributed computing environment to facilitate collaboration and\nknowledge sharing, and support its mission of protecting the pensions of nearly 44 million\nworkers and retirees. It faces the challenging task of maintaining this environment, while\nprotecting its critical information assets against malicious use and intrusion.\n\n\n\n                                                   2\n\x0cThe PBGC Office of Inspector General (OIG) contracted with Clifton Gunderson LLP (CG) to\nconduct PBGC's FY 2009 FISMA Independent Evaluation. We performed this evaluation in\nconjunction with our review of information security controls required as part of the annual\nfinancial statement audit.\n\n\nIII.   OBJECTIVES\n\nThe purposes of this evaluation were to assess the effectiveness of PBGC's information security\nprogram and practices and to determine compliance with the requirements of FISMA and\nrelated information security policies, procedures, standards, and guidelines.\n\n\nIV.    SCOPE AND METHODOLOGY\n\nTo perform our review of PBGC's security program, we followed a work plan based on the\nfollowing guidance:\n\n       \xe2\x80\xa2 National Institute of Standards and Technology (NIST)\xe2\x80\x99s Recommended Security\n         Controls for Federal Information Systems \xe2\x80\x93 Special Publication (SP) 800-53 for\n         specification of security controls.\n       \xe2\x80\xa2 NIST Special Publication 800-37, Guide for the Security Certification and Accreditation\n         of Federal Information Systems, for certification and accreditation controls.\n       \xe2\x80\xa2 NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal\n         Information Systems, for the assessment of security control effectiveness.\n       \xe2\x80\xa2 Government Accountability Office (GAO)\xe2\x80\x99s Federal Information System Controls Audit\n         Manual (FISCAM: GAO-09-232G), for information technology audit methodology.\n\nThe combination of these methodologies allowed us to meet the requirements of both FISMA\nand the Chief Financial Officer\xe2\x80\x99s Act.\n\nOur procedures included internal and external security reviews of PBGC's information\ntechnology (IT) infrastructure; reviewing agency Plans of Action and Milestones (POA&Ms); and\nevaluating the following subset of PBGC's major systems:\n\n       \xe2\x80\xa2   Consolidated Financial System (CFS)\n       \xe2\x80\xa2   Premium Accounting System (PAS)\n       \xe2\x80\xa2   Integrated Present Value of Future Benefits (IPVFB)\n       \xe2\x80\xa2   Pension and Lump Sum System (PLUS)\n       \xe2\x80\xa2   ComprizonSuite\n       \xe2\x80\xa2   Administar\n\nWe performed procedures to test (1) PBGC\xe2\x80\x99s implementation of an entity-wide security plan,\nand (2) operational and technical controls specific to each application such as service continuity,\nlogical access, and change controls. We also performed targeted tests of controls over financial\nand business process applications. We performed our review from March 24, 2009 to\nSeptember 30, 2009 at PBGC's headquarters in Washington DC. We also performed a security\nassessment of the PLUS application in July 2009 at State Street Corporation in Quincy,\nMassachusetts. This independent evaluation was prepared based on information available as\nof September 30, 2009.\n\n                                                  3\n\x0cV.    SUMMARY OF CURRENT YEAR TESTING\n\nOur review of IT controls covered general and selected business process application controls.\nGeneral controls are the structure, policies, and procedures that apply to an entity\xe2\x80\x99s overall\ncomputer systems. They include entity-wide security management, access controls,\nconfiguration management, segregation of duties and contingency planning controls. Business\nprocess application controls are those controls over the completeness, accuracy, validity,\nconfidentiality, and availability of transactions and data during application processing.\n\nOur review also included the integration of financial management systems to ensure effective\nand efficient interrelationships. These interrelationships include common data elements,\ncommon transaction processing, consistent internal controls, and transaction entry.\n\nPBGC\xe2\x80\x99s systemic security control weaknesses and the lack of an integrated financial\nmanagement system posed increasing and substantial risk to PBGC\xe2\x80\x99s ability to carry out its\nmission during FY 2009. Communication between PBGC\xe2\x80\x99s key decision makers did not convey\nthe urgent need for decisive strategic decisions to correct fundamental weaknesses in PBGC\xe2\x80\x99s\nIT infrastructure and environment. Strategic IT decisions did not address these deficiencies and\nsignificant weaknesses. Furthermore, these weaknesses were not addressed in the status of\ncorrective actions being reported. As a result, PBGC\xe2\x80\x99s attempt to address entity-wide security\nmanagement program deficiencies and systemic security control weaknesses at the root cause\nlevel had minimal effect.\n\nPBGC\xe2\x80\x99s decentralized approach to system development and configuration management has\nexacerbated control weaknesses and encouraged inconsistency in implementing strong\ntechnical controls and best practices. The influx of 620 plans for over 800,000 participants from\n2002-2005, contributed to PBGC\xe2\x80\x99s disjointed IT development and implementation strategy. The\nmandate to meet PBGC\xe2\x80\x99s mission objectives by implementing technologies to receive the influx\nof plans superseded proper enterprise planning and IT security controls. The result was a series\nof stovepipe solutions built upon unplanned and poorly integrated heterogeneous technologies\nwith varying levels of obsolescence.\n\nPBGC\xe2\x80\x99s management is starting to take actions to correct control weaknesses by conducting an\nassessment of its Oracle database environment, initiating an IT Infrastructure modernization\nprogram, completing the Enterprise Architecture (EA) segment architecture, and implementing\nstrategic decisions on IT sourcing.\n\nOur current year audit work found deficiencies in the areas of security management, access\ncontrols, configuration management, and segregation of duties. Control deficiencies were also\nfound in policy administration, and the certification and accreditation of major applications and\ngeneral support systems. An effective entity-wide security management program requires a\ncoherent strategy for the architecture of the IT infrastructure, and the deployment of systems.\nThe implementation of a coherent strategy provides the basis and foundation for the consistent\napplication of policy, controls, and best practices. PBGC first needs to develop and implement a\nframework to improve their security posture. This framework will require time for effective control\nprocesses to mature.\n\nBased on our findings, we are reporting that significant deficiencies in the following areas\nconstitute a material weakness for FY 2009:\n\n     1. Entity-wide security program planning and management,\n\n                                                4\n\x0c    2.   Access controls and configuration management,\n    3.   Privacy\n    4.   Plan of Action and Milestones (POA&M)\n    5.   Miscellaneous FISMA Controls\n\nThe findings noted under entity-wide security program planning and management, access\ncontrols and configuration management, were reported in the Report on Internal Controls\nRelated to the Pension Benefit Guaranty Corporation\xe2\x80\x99s Fiscal Year 2009 and 2008 Financial\nStatements Audit (AUD-2010-2/FA-09-64-2) issued on November 12, 2009. As a result of our\nfindings, we made recommendations to correct the deficiencies. A table summarizing these\nfindings is in Section VII of this report.\n\nIn addition, our audit also found deficiencies specifically related to responses required by OMB\nMemorandum M-09-29 which are included in this report. These findings and recommendations,\nnot previously reported, are as follows.\n\n\nVI. FINDINGS AND RECOMMENDATIONS\n\n1. Privacy\n\n\xe2\x80\xa2   The PBGC\xe2\x80\x99s Privacy Office does not properly monitor its privacy processes for quality and\n    compliance. We noted the following weaknesses:\n\n         \xe2\x88\x92   Privacy Impact Assessments (PIAs) for PBGC\xe2\x80\x99s major applications and general\n             support systems were not updated on an annual basis in accordance with PBGC\n             Information Assurance Handbook, Volume 12.\n\n         \xe2\x88\x92   The PIA Executive Summary for the major applications posted on PBGC\xe2\x80\x99s Internet\n             was updated in March 2007 and does not reflect current PIAs conducted.\n\n         \xe2\x88\x92   System of Records Notices (SORNs) for nine (9) out of fourteen (14) PBGC\xe2\x80\x99s major\n             applications and general support systems are not current as there were subsequent\n             changes to the system after which a SORN was not updated.\n\n    PBGC\xe2\x80\x99s Information Assurance Handbook (IAH), Volume 12 Security Planning Procedures\n    requires the Information System Security Officer (ISSO) and Information System Owners to\n    complete the PIA before collecting information in an identifiable form. The PIA is then\n    reviewed and approved by PBGC\xe2\x80\x99s Privacy Officer.\n\n    PBGC contracted for assessment of its Oracle database in 2009 and issued an Oracle\n    Assessment Report in March 2009. The report identified several weaknesses related to\n    protecting personally identifiable information (PII), including the following:\n\n         \xe2\x88\x92   PII existed in the development environment.\n\n         \xe2\x88\x92   PBGC does not encrypt its backup tapes, putting PII data at risk when it leaves the\n             datacenter.\n\n\n\n\n                                                5\n\x0c        \xe2\x88\x92   There is nothing in the PBGC IT environment (i.e. production, test, and development\n            environments) that prevents the loss of PII data. If somebody were to get access to\n            the backup data, they would have unfiltered access to all data elements including PII.\n\nRecommendations:\n\n    o   Review and update the Privacy Impact Assessments (PIAs) at least annually in\n        accordance with PBGC\xe2\x80\x99s Information Assurance Handbook. (OIG Control Number\n        FISMA-09-01)\n\n        Management\xe2\x80\x99s Response: PBBC agreed.\n\n\n    o   Conduct an annual review of the PIAs on the PBGC\xe2\x80\x99s website to verify that it reflects the\n        most updated PIAs conducted. (OIG Control Number FISMA-09-02)\n\n        Management\xe2\x80\x99s Response: PBBC agreed.\n\n\n    o   Review and update the System of Records Notice (SORNs) periodically, at least\n        annually, to reflect current conditions. (OIG Control Number FISMA-09-03)\n\n        Management\xe2\x80\x99s Response:\n\n        PBGC agreed in part and is assigning additional legal staff from the Office of General\n        Counsel to review and update existing Privacy Act System of Records Notices (SORNs)\n        for publication in the Federal Register. On January 8, 2010, the Privacy Officer sent a\n        copy of the existing SORNs to the designated manager of each system of records for\n        review, and requested the submission of any proposed changes to the SORN from the\n        manager. As of March 10, 2010, all system owners had responded. PBGC expects to\n        complete this aspect of the recommendation by June 1, 2010.\n\n        In addition, the Privacy Officer will establish procedures to send a notice by May 1st of\n        every other year to the designated manager of each existing Privacy Act System of\n        Records that requests the manager to certify that the SORN remains accurate and up-\n        to-date, and if not, to submit proposed changes to the Privacy Officer within 30 days.\n        Under Appendix 1 to OMB Circular No. A-130, Management of Federal Information\n        Resources, dated November 28, 2000; PBGC is required to review SORNs at least once\n        every two years, not annually. PBGC expects to complete this aspect of the\n        recommendation by September 30, 2010.\n\n        CG\xe2\x80\x99s Evaluation of Management\xe2\x80\x99s Response:\n\n        We believe the actions proposed by PBGC management are responsive to our\n        recommendation.\n\n\n\xe2\x80\xa2   PBGC\xe2\x80\x99s process for reporting PII incidents is inaccurate and unverifiable. We could not\n    verify or validate log entries on incidents reported to the United States Computer Emergency\n    Readiness Team (US-CERT). Evidence provided could not be traced to incidents reported\n    to US-CERT.\n\n                                                6\n\x0c    We also noted inconsistencies in the reporting of similar PII breaches to US-CERT. Our\n    review of PBGC\xe2\x80\x99s FY 2009 PII incident log noted that only six (6) of nineteen (19) PII\n    incidents were reported to US CERT. For example, similar PII incidents such as an incident\n    dated 10/24/08, disclosing a participant\xe2\x80\x99s social security number (SSN), was not reported to\n    US CERT, however, an incident on 11/12/08, disclosing a participant\xe2\x80\x99s SSN, was reported to\n    US-CERT. Furthermore, PBGC does not have reporting guidelines for reporting PII\n    incidents.\n\n    Without timely and effective remediation of PII incidents, PBGC is at risk for similar\n    compromises which may result in participant personal information being at risk.\n\nRecommendations:\n\n    o   Develop and follow specific guidance on how and when to report incidents, involving PII\n        disclosure. (OIG Control Number FISMA-09-04)\n\n        Management\xe2\x80\x99s Response: PBBC agreed.\n\n\n    o   Ensure all incidents involving PII are reported to US CERT within 1 hour of discovery.\n        (OIG Control Number FISMA-09-05)\n\n        Management\xe2\x80\x99s Response: PBBC agreed.\n\n\n    o   Ensure all reports submitted to US-CERT are documented and maintained appropriately.\n        (OIG Control Number FISMA-09-06)\n\n        Management\xe2\x80\x99s Response: PBBC agreed.\n\n\n\xe2\x80\xa2   Technical controls related to the protection of PII need to be strengthened. Based on our\n    review, we noted that:\n\n        \xe2\x88\x92   No encryption mechanism was in place on PBGC laptops.\n\n        \xe2\x88\x92   No formalized procedures were in place to control laptops leaving PBGC premises\n\n    Any unauthorized use, disclosure, or loss of PII data can result in the loss of the public\xe2\x80\x99s\n    trust and confidence in PBGC\xe2\x80\x99s ability to properly protect it. PII data breaches may have far-\n    reaching implications for individuals whose PII is compromised, including identity theft\n    resulting in financial loss and/or personal hardship experienced by the individual. A PII data\n    breach may also require significant PBGC staff, time, assets, and financial resources to\n    mitigate the negative consequences, which may prevent PBGC from allocating those\n    resources elsewhere.\n\n\n\n\n                                                7\n\x0cRecommendation:\n\n    o   Implement encryption on all PBGC\xe2\x80\x99s laptops to ensure that PII is adequately protected.\n        (OIG Control Number FISMA-09-07)\n\n        Management\xe2\x80\x99s Response: PBBC agreed.\n\n\n2. Plan of Action and Milestones (POA&M)\n\n\xe2\x80\xa2   PBGC management did not provide CG with a copy of the entity wide POA&M. Lack of an\n    up-to-date and consolidated POA&M will result in security deficiencies identified not being\n    properly tracked and monitored, and thereby not remediated in a timely manner.\n\nRecommendations:\n\n    o   Develop, maintain and update PBGC\xe2\x80\x99s entity-wide plan of action and milestones, at least\n        on a quarterly basis, and ensure it includes all entity-wide security deficiencies noted.\n        (OIG Control Number FISMA-09-08)\n\n        Management\xe2\x80\x99s Response: PBBC agreed.\n\n\n    o   Disseminate PBGC\xe2\x80\x99s entity wide POA&M to all responsible parties to ensure corrective\n        actions are taken in accordance with POA&M. (OIG Control Number FISMA-09-09)\n\n        Management\xe2\x80\x99s Response: PBBC agreed.\n\n\n\xe2\x80\xa2   PBGC\xe2\x80\x99s POA&M process is ineffective. We noted the following deficiencies in FY 2009:\n\n        \xe2\x88\x92   No evidence that reports on the progress of security weakness remediation is being\n            provided to the Chief Information Officer (CIO) on a regular basis.\n\n        \xe2\x88\x92   No evidence that the PBGC CIO centrally tracks, maintaining and independently\n            reviews/validates POA&M activities on at least a quarterly basis.\n\nRecommendations:\n\n    o   Ensure that the agency and program specific plan of action and milestones are tracked\n        appropriately and is provided to PBGC\xe2\x80\x99s CIO regularly. (OIG Control Number FISMA-\n        09-10)\n\n        Management\xe2\x80\x99s Response: PBBC agreed.\n\n    o   Ensure PBGC\xe2\x80\x99s CIO centrally tracks, maintains and independently reviews/validates\n        POA&M activities, at least on a quarterly basis. (OIG Control Number FISMA-09-11)\n\n        Management\xe2\x80\x99s Response: PBBC agreed.\n\n\n                                                8\n\x0c3. Miscellaneous FISMA Controls\n\n\xe2\x80\xa2   PBGC has not included information about its IT security policies and requirements including\n    use of NIST common security configurations in all of its IT contracts as requiried by FAR \xc2\xa7\n    39.101(d).\n\nRecommendation:\n\n    o   Ensure all PBGC IT acquisition include appropriate language as required by FAR \xc2\xa7\n        39.101(d). (OIG Control Number FISMA-09-12)\n\n        Management\xe2\x80\x99s Response: PBBC agreed.\n\n\n\n\n                                               9\n\x0cVII. PREVIOUSLY REPORTED FISMA-RELATED FINDINGS\n\nThe following table summarizes FISMA-related findings noted under entity-wide security\nprogram planning and management, access controls, and configuration management that were\nreported in the Report on Internal Controls Related to the Pension Benefit Guaranty\nCorporation\xe2\x80\x99s Fiscal Year 2009 and 2008 Financial Statements Audit (AUD-2010-2/FA-09-64-2)\nissued November 12, 2009.\n\n                 Finding Summary                                      Recommendation\n\n1. PBGC has identified sixty-five (65) common         Effectively communicate to key decision\nsecurity controls for the seventeen (17) NIST SP      makers the state of PBGC\xe2\x80\x99s IT infrastructure\n800-53, Recommended Security Controls for             and environment to facilitate the prioritization\nFederal Information Systems, security control         of resources to address fundamental\nfamilies. Of the 65 common security controls          weaknesses. (OIG Control Number FS-09-\ntested by PBGC, only four controls were               01)\nproperly designed and operating effectively.\nWeaknesses in PBGC\xe2\x80\x99s infrastructure design            Complete     and   confirm    the     design,\nand deployment strategy for systems and               implementation, and operating effectiveness\napplications have adversely affected its ability to   of all 65 common security controls identified.\neffectively implement common security controls        (OIG Control Number FS-08-01)\nacross its systems and applications.\n                                                      Develop a process to review and validate\n                                                      reported progress on the implementation of\n                                                      the common security controls. Implement a\n                                                      strategy to test and document the\n                                                      effectiveness   of  each    new    control\n                                                      implemented. (OIG Control Number FS-09-\n                                                      02)\n\n\n2. PBGC\xe2\x80\x99s process for the completion of C&A           Develop and implement a well-designed\npackages in accordance with NIST SP 800-37,           security management program that will\nGuide for the Security Certification and              provide security to the information and\nAccreditation of Federal Information Systems is       information systems that support the\nineffective. Fundamental weaknesses in PBGC\xe2\x80\x99s         operations and assets of the Corporation,\ninfrastructure architecture and design do not         including those managed by contractors or\nsupport the certification and accreditation of its    other Federal agencies. (OIG Control\ninformation systems. Furthermore, PBGC\xe2\x80\x99s              Number FS-09-03)\ninformation systems employ obsolete and\nantiquated technologies that pose additional risk     Complete       the     development      and\nto the availability of financially significant        implementation of the redesign of PBGC\xe2\x80\x99s IT\nsystems.                                              infrastructure and the procurement and\n                                                      implementation of technologies to support a\n                                                      more coherent approach to providing\n                                                      information services and information system\n                                                      management controls. (OIG Control Number\n                                                      FS-09-04)\n                                                      Implement an effective review process to\n                                                      validate the completion of the certification and\n                                                      accreditation packages for           all major\n\n                                                 10\n\x0cFinding Summary                        Recommendation\n                       applications and general support systems.\n                       The review should not be performed by an\n                       individual associated with the performance of\n                       the C&A or by someone who could influence\n                       the results. This review should be completed\n                       for all components of the work performed to\n                       ensure substantial documentation is available\n                       that supports and validates the results\n                       obtained. (OIG Control Number FS-08-02)\n                       Ensure that adequate documentation is\n                       maintained which supports, substantiates, and\n                       validates all results and conclusions reached\n                       in the C&A process. (OIG Control Number\n                       FS-09-05)\n                       Establish and implement comprehensive\n                       procedures and document the roles and\n                       responsibilities that ensure oversight and\n                       accountability in the certification and review\n                       process. Retain evidence of oversight reviews\n                       and take action to address erroneous or\n                       unsupported reports of progress. (OIG\n                       Control Number FS-09-06)\n                       Maintain an accurate and authoritative\n                       inventory list of major applications and general\n                       support systems. Ensure the list is\n                       disseminated to responsible staff and used\n                       consistently throughout PBGC OIT operations.\n                       (OIG Control Number FS-09-07)\n                       Implement an independent and effective\n                       review process to validate the completion of\n                       the certification and accreditation packages\n                       for all applications and general support\n                       systems hosted on behalf of PBGC by third\n                       party processors. The effective review should\n                       include examining host and general controls\n                       risk assessments. (OIG Control Number FS-\n                       08-03)\n                       Implement robust and rigorous review\n                       procedures to verify that future contracts for\n                       the Certification and Accreditation of PBGC\xe2\x80\x99s\n                       systems clearly outline expectations and\n                       deliverables in the statement of work. (OIG\n                       Control Number FS-09-08)\n                       Implement a robust and rigorous quality\n                       review process to verify contractor C&A\n\n                  11\n\x0c                Finding Summary                                   Recommendation\n                                                   deliverables meet the requirements specified\n                                                   in the statement of work. (OIG Control\n                                                   Number FS-09-09)\n                                                   Establish controls to ensure that contract staff\n                                                   tasked with the C&A of PBGC systems have\n                                                   the appropriate knowledge and background to\n                                                   accurately and comprehensively complete the\n                                                   C&A process. (OIG Control Number FS-09-\n                                                   10)\n                                                   Implement a robust and rigorous process to\n                                                   verify compliance with PBGC\xe2\x80\x99s policy on\n                                                   contractor management throughout the C&A\n                                                   lifecycle. (OIG Control Number FS-09-11)\n\n\n3. Information security policies and procedures    Develop and implement a process to enforce\nwere not fully disseminated and implemented.       the dissemination and awareness of PBGC\xe2\x80\x99s\nPBGC is not able to effectively enforce            security policies and procedures through\ncompliance for Security Awareness training.        adequate training. (OIG Control Number FS-\n                                                   07-04)\n\n\n4. Office of Information Technology (OIT) and      Establish, document, and publish measurable\nsystem owners (i.e. business owners) have not      services that OIT provides to the Corporation,\nestablished and documented service level           that are acceptable to all information system\nagreements that include metrics on OIT services    owners. (OIG Control Number FS-07-06)\nrequired to meet business goals.\n\n\n5. PBGC\xe2\x80\x99s configuration management controls        Develop and implement procedures and\nare labor intensive and ineffective. Weaknesses    processes for the consistent implementation\nin the design of PBGC\xe2\x80\x99s infrastructure and         of common configuration management\ndeployment      strategy     for  systems   and    controls to minimize security weaknesses in\napplications created an environment where          general support systems. (OIG Control\nstrong technical controls and best practices       Number FS-07-07)\ncannot       be      effectively    implemented.\nConfiguration     management       controls  are   Develop and implement a coherent strategy\ntherefore not consistently implemented across      for correcting IT infrastructure deficiencies and\nPBGC\xe2\x80\x99s general support systems.                    a framework for implementing common\n                                                   security controls, and mitigating the systemic\n                                                   issues related to access control by\n                                                   strengthening system configurations and user\n                                                   account management for all of PBGC\xe2\x80\x99s\n                                                   information systems. (OIG Control Number\n                                                   FS-09-12)\n\n                                                   Establish baseline configuration standards for\n                                                   all of PBGC\xe2\x80\x99s systems. (OIG Control Number\n\n\n                                              12\n\x0c                Finding Summary                                   Recommendation\n                                                   FS-09-13)\n                                                   Review configuration settings and document\n                                                   any    discrepancies    from     the   PBGC\n                                                   configuration   baseline.    Develop     and\n                                                   implement corrective actions for systems that\n                                                   do not meet PBGC\xe2\x80\x99s configuration standards.\n                                                   (OIG Control Number FS-09-14)\n                                                   Ensure test, development and production\n                                                   databases are appropriately segregated to\n                                                   protect sensitive information and also fully\n                                                   utilized to increase system performance. (OIG\n                                                   Control Number FS-09-15)\n                                                   Establish interim procedures to implement\n                                                   available compensating controls (such as\n                                                   establishing a test team to verify developer\n                                                   changes in production) until a comprehensive\n                                                   solution to adequately segregate test,\n                                                   development and production databases can\n                                                   be implemented. (OIG Control Number FS-\n                                                   09-16)\n\n\n6. PBGC\xe2\x80\x99s policies and practices have not Continue to remove unnecessary user and/or\neffectively restricted the addition of unnecessary generic accounts. (OIG Control Number FS-\nand generic accounts to systems in production. 07-08)\nConsequently, the number of unnecessary and\ngeneric accounts grew over the years. PBGC\nmanagement has not determined if the removal\nof all legacy generic accounts would disrupt\nproduction activities.\n\n\n7. Controls are not consistently implemented       Consistently      implement  controls    to\nto appropriately segregate duties and grant        appropriately segregate duties and grant\nrights and privileges commensurate with the job    rights and privileges commensurate with the\nfunctions and responsibilities. PBGC does not      job functions and responsibilities. (OIG\nhave a coherent strategy for enforcing             Control Number FS-07-09)\nsegregation of duties through strong technical\ncontrols in its applications and general support   Assess the risk associated with lacking\nsystems.                                           segregation of duties, password management,\n                                                   and overall inadequate system configuration.\n                                                   Discuss risk with system owners and\n                                                   implement compensating controls wherever\n                                                   possible. If compensating controls cannot be\n                                                   implemented the system owner should sign-\n                                                   off indicating risk acceptance. (OIG Control\n                                                   Number FS-09-17)\n\n\n                                              13\n\x0c                 Finding Summary                                     Recommendation\n\n8. Developers have access to the production           Appropriately restrict developers\xe2\x80\x99 access to\nenvironment, which exposes PBGC to the risk of        production environment to only temporary\nunauthorized modification of the application, the     emergency access. (OIG Control Number\ncircumvention   of    critical  controls,    and      FS-07-10)\nunnecessary access to sensitive data.\n                                                      Assess developers\xe2\x80\x99 access to production on\n                                                      all PBGC systems and determine if access is\n                                                      required based on the security principles\n                                                      \xe2\x80\x9cneed to know and least privilege.\xe2\x80\x9d If\n                                                      developers require access to a specific\n                                                      application, the reason should be documented\n                                                      and management should sign-off indicating\n                                                      acceptance of the risk(s). In all other\n                                                      instances developer access to production\n                                                      should be immediately removed. (OIG\n                                                      Control Number FS-09-18)\n\n\n9. Controls are not consistently applied to           Consistently apply controls to ensure that\nensure that authentication parameters for             authentication parameters for PBGC\xe2\x80\x99s general\ngeneral support systems (e.g. Novell, Windows,        support systems (e.g. Novell, Windows, Sun\nSUN Solaris, Oracle, etc.) and applications are       Solaris, Oracle, etc.) and applications are in\nin compliance with the IAH. PBGC\xe2\x80\x99s                    compliance with the IAH. (OIG Control\ndecentralized approach to system development          Number FS-07-11)\nand configuration management has made it\nparticularly difficult to implement consistent        Implement a manual review process whereby\ntechnical controls across PBGC\xe2\x80\x99s many                 OIT periodically reviews systems for\nsystems, platforms, and applications.                 compliance with baseline settings. (OIG\n                                                      Control Number FS-09-19)\n\n\n10. PBGC is still in the process of identifying       For the remaining systems, apply controls to\ndependencies between databases, applications,         lock out and remove inactive and dormant\nand operating systems in order to fully               accounts after a specified period in\nimplement controls to lock out and remove             accordance with the IAH. (OIG Control\ninactive and dormant accounts. However, there         Number FS-07-12)\nare still some PBGC systems that have not\nimplemented these controls.\n\n\n11. The      OIT    recertification   process    is   Complete the implementation of the\nincomplete and only addresses generic and             recertification process for all user and system\nservice accounts; it does not include all user and    accounts. Continue to perform annual\nsystem accounts. In addition, the Recertification     recertification and include all PBGC\xe2\x80\x99s\nof User Access Process, version 1.2, does not         accounts (e.g. user, generic, service, and\nexplicitly state that all accounts (e.g. user,        systems accounts) for general support\nsystem, and service) across all platforms and         systems and major applications. (OIG Control\napplications will be re-certified annually.           Number FS-07-13)\n\n\n\n                                                 14\n\x0c                 Finding Summary                                    Recommendation\n\n12. Vulnerabilities found in key databases and       Implement controls to remedy vulnerabilities\napplications      include    weaknesses       in     noted in key databases and applications such\nconfiguration, roles, privileges, auditing, file     as weaknesses in configuration, roles,\npermissions, and operating system access.            privileges, auditing, file permissions, and\nThese PBGC system vulnerabilities are caused         operating system access. (OIG Control\nby an ineffective deployment strategy in the         Number FS-07-14)\ndevelopment,        test,    and     production\nenvironments. Ineffective system deployments         Implement controls to remedy weaknesses in\nhave resulted in an environment that is in           the deployment of servers, applications, and\ndisarray.                                            databases in the development, test, and\n                                                     production environments. (OIG Control\n                                                     Number FS-09-20)\n\n\n13. Access request authorizations were not           Ensure that adequate documentation of\nappropriately documented. PBGC has not fully         access authorization is maintained by\nimplemented controls to ensure Enterprise Local      implementing    proper   monitoring and\nArea Network (ELAN) forms are properly               enforcement measures in compliance with\ndocumented and maintained.                           approved policies and procedures. (OIG\n                                                     Control Number FS-07-15)\n\n\n14. PBGC lacks an effective process to track         Update and enforce directive PM 05-1, PBGC\ncontractors throughout their employment at           Entrance on Duty and Separation Procedures\nPBGC, including appropriate notifications of start   for Federal and Contract Employees, to\ndates and separation. Management has                 ensure contract personnel can be tracked\nreported that policies and procedures, to include    effectively. Also, ensure a formal Entrance on\nPBGC directive PM 05-1, PBGC Entrance on             Duty and Separation Clearance process is\nDuty and Separation Procedures for Federal and       followed. (OIG Control Number FS-07-16)\nContract Employees have not been updated to\nprovide effective enforcement of controls\ndesigned to track entrance and separation of all\nFederal and contract employees.\n\n\n15. Periodic logging and monitoring of security-     Implement a logging and monitoring process\nrelated events for PBGC\xe2\x80\x99s applications were          for application security related events and\ninadequate CFS, PAS, Trust Accounting System         critical system modifications (e.g. CFS, PAS,\n(TAS), Participant Records Information Systems       TAS, PRISM, and IPVFB). (OIG Control\nManagement (PRISM), and Integrated Present           Number FS-07-17)\nValue of Future Benefits (IPVFB) System.\nPBGC\xe2\x80\x99s information technology infrastructure\nconsist of multiple legacy systems and\napplications (e.g. PAS, TAS, IPVFB, PRISM,\nGENESIS database, Solaris 8, Oracle 8i, Novell\nNetWare 5.1, Windows NT, etc.) that do not\nhave a coherent architecture for the\nmanagement and security of these systems.\n\n\n                                                15\n\x0cVIII. FISMA RECOMMENDATIONS CLOSED IN FISCAL YEAR 2009\n\n        OIG Control Number   Date Closed              Original Report Number\n\n        None\n\n\n\n\nIX.   PRIOR AND CURRENT YEARS\xe2\x80\x99 OPEN FISMA RECOMMENDATIONS\n\n        OIG Control Number                 Original Report Number\n\n        Prior Year\n        None\n\n\n\n\n        Current Year\n        FISMA-09-01                        EVAL-2010-7/FA-09-64-7\n        FISMA-09-02                        EVAL-2010-7/FA-09-64-7\n        FISMA-09-03                        EVAL-2010-7/FA-09-64-7\n        FISMA-09-04                        EVAL-2010-7/FA-09-64-7\n        FISMA-09-05                        EVAL-2010-7/FA-09-64-7\n        FISMA-09-06                        EVAL-2010-7/FA-09-64-7\n        FISMA-09-07                        EVAL-2010-7/FA-09-64-7\n        FISMA-09-08                        EVAL-2010-7/FA-09-64-7\n        FISMA-09-09                        EVAL-2010-7/FA-09-64-7\n        FISMA-09-10                        EVAL-2010-7/FA-09-64-7\n        FISMA-09-11                        EVAL-2010-7/FA-09-64-7\n        FISMA-09-12                        EVAL-2010-7/FA-09-64-7\n\n\n\n\n                                    16\n\x0cX.   MANAGEMENT RESPONSE\n\n\n\n\n                           17\n\x0c18\n\x0c19\n\x0c20\n\x0c21\n\x0cIf you want to report or discuss confidentially any instance\n of misconduct, fraud, waste, abuse, or mismanagement,\n      please contact the Office of Inspector General.\n\n\n\n                       Telephone:\n            The Inspector General\xe2\x80\x99s HOTLINE\n                    1-800-303-9737\n\n  The deaf or hard of hearing, dial FRS (800) 877-8339\n   and give the Hotline number to the relay operator.\n\n\n\n                           Web:\n       http://oig.pbgc.gov/investigation/details.html\n\n\n\n                         Or Write:\n          Pension Benefit Guaranty Corporation\n               Office of Inspector General\n                     PO Box 34177\n             Washington, DC 20043-4177\n\x0c"